Which combination of steps will meet these requirements?
(Choose three.)
Ensure that each S3 bucket has a bucket policy that includes a Deny statement if the aws:SecureTransport condition is not present.
Create a CMK in AWS Key Management Service (AWS KMS). Turn on server-side encryption (SSE) on the S3 buckets, select SSE-KMS for the encryption type, and use the CMK as the key.
Ensure that each S3 bucket has a bucket policy that includes a Deny statement for PutObject actions if the request does not include an ג€s3:x-amz-server-side- encryptionג€:ג€aws:kmsג€ condition.
Turn on server-side encryption (SSE) on the S3 buckets and select SSE-S3 for the encryption type.
Ensure that each S3 bucket has a bucket policy that includes a Deny statement for PutObject actions if the request does not include an ג€s3:x-amz-server-side- encryptionג€:ג€AES256ג€ condition.
Turn on AWS Config. Use the s3-bucket-public-read-prohibited, s3-bucket-public-write-prohibited, and s3-bucket-ssl-requests-only AWS Config managed rules to monitor the S3 buckets.
Explanations:
Implementing a bucket policy that denies requests that are not made over SSL (i.e., do not have theaws:SecureTransportcondition) ensures that data in transit is encrypted. This step is crucial for maintaining the confidentiality of data as it moves to and from the S3 bucket.
Creating a Customer Master Key (CMK) in AWS KMS and enabling server-side encryption (SSE-KMS) on the S3 bucket ensures that data at rest is encrypted. SSE-KMS provides additional security features, such as key rotation and fine-grained access control.
A bucket policy that deniesPutObjectactions if the request does not specifys3:x-amz-server-side-encryption:aws:kmsensures that all data uploaded to the bucket is encrypted using KMS, thereby enhancing security at rest.
While SSE-S3 provides server-side encryption, it uses S3-managed keys instead of KMS-managed keys. This option does not meet the requirement for using customer-managed keys (CMK) for encryption, which is more secure and provides better control over key management.
This policy deniesPutObjectactions if the request does not includes3:x-amz-server-side-encryption:AES256, which only enforces S3-managed keys. It does not provide the required use of a CMK through KMS, thus failing to meet the stronger encryption requirements.
While AWS Config rules can help monitor the public access settings of S3 buckets, they do not directly enforce encryption in transit or at rest. This option does not address the requirement to keep data protected in case of accidental public exposure of the bucket.